我们需要创建一个允许我们在客户的S3账户中访问存储区的IAM用户(前提是他们允许我们访问这些存储区)。S3 IAM访问其他账户的政策
我们已经创建了一个IAM用户在我们的帐户与以下在线政策:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
除此之外,我们将要求我们的客户使用下面的策略,并将其应用到自己的相关斗:
{
"Version": "2008-10-17",
"Id": "Policy1416999097026",
"Statement": [
{
"Sid": "Stmt1416998971331",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:PutObjectAcl",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::client-bucket-name/*"
},
{
"Sid": "Stmt1416999025675",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::229569340673:user/our-iam-user"
},
"Action": [
"s3:ListBucketMultipartUploads",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::client-bucket-name"
}
]
}
虽然这一切似乎做工精细,我们已经发现了一个重要问题是我们自己内部的直列政策似乎充分使用我们-IAM用户所有我们自己的内部桶。
我们是否错配了某些东西,或者我们在这里丢失了其他明显的东西?
如果外部账户授予您账户中特定IAM用户的权限,第一项政策似乎不必要你能删除它并确认吗? –